[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: What pain points exist in the current security-tracker structure?

Hi,

On 06/04/2025 09:25, Roberto C. Sánchez wrote:

As you go about tasks which require interacting with the security
tracker, what pain points exist for you?


One pain point that happened again today is the confusing terminology.

In particular:
- "no-dsa": every body gets confused by this: users, maintainers, LTS contributors. It's generally understood as "won't fix", while it can be fixed through other means than DSA (typically PU). 
In general, let's not name something using a negative.
Let's keep in mind that even among DDs/DMs the different security workflows aren't clear (DSA, PU), they usually only upload to unstable. 

It gets even more confusing when the CVE eventually moves to LTS.
The fact that it has "sub-states" with postponed & ignored is unique in the tracker and brings further confusion.
"deferred" (as is: deferred from Debian Security Team to the rest of Debian: maintainers, release team, LTS team, etc.) may be better, though still unclear to a common Debian user.
Dropping "no-dsa" and only using "postponed" and "ignored" would be another proposal.
- "Minor issue": again this is centric to the Security Team, this confused upstream e.g. Samba: 
https://lists.debian.org/debian-security/2021/05/msg00011.html
It's rarely mentioned why an issue is Minor and this can be puzzling (I try to add a few words of context myself).
"Minor issue" covers a wide range of issues, usually anything that isn't critical and/or remote, but is explicitly outside of any rating system (CVSS, etc.) as it's should be appreciated in the context of Debian only.
"Minor issue" is very much tied to the no-dsa(postponed,ignored) group of states, and is somewhat redundant.
"Can be fixed in point release" mostly conveys the same meaning and would avoid thinking about "Minor" vs. Medium/High/Critical.
So overall coming up with a clearer terminology, tested with random users and Debian contributors to ensure good "UX", would be good and save time IMHO. 

Cheers!
Sylvain
Reply to: